Skip to main content

Inventory Sources and Data

This topic has information about inventory sources and the inventory data they collect.

Inventory data is information about computers and users in your environment that Cloud SIEM uses to provide context to Entities in the Cloud SIEM UI. For example, when an analyst is investigating a user or system, it might be beneficial to know the department or manager to which they belong.

In addition to providing context to Cloud SIEM Insights and Entities, inventory data can be leveraged in other beneficial ways. For example, you can save computer and user information to a lookup table and use the data for search time enrichment. For more information, see Save Inventory Data to a Lookup Table

Inventory data in the Cloud SIEM UI

The screenshots in this section show how Cloud SIEM presents inventory data in the UI.

This screenshot shows inventory data for a user for a user on the Insight Details page. When you mouse over the Entity value a popup appears, and displays any inventory that is available for the Entity.

Cloud SIEM image

This screenshot shows the Entity Details page; inventory data is displayed for a user.

Cloud SIEM image

About inventory data sources

Sumo Logic provides a number of Sources you can use to ingest inventory data from services such as Microsoft Azure AD, Carbon Black, and AWS EC2. Each inventory source is listed in the Inventory Source Mappings section below. The mapping table for each source shows the inventory attributes that are populated and the associated data source field or fields for each.

Some of the inventory sources are strictly for collecting inventory data—such sources usually include “Inventory” in the source name, for example, the Microsoft Azure AD Inventory Source. A few of the sources that collect inventory data also collect event data. For example, the Sailpoint Source collects inventory data about users and also collects events from the SalePoint Search API.

Some inventory sources provide user inventory information, some provide computer inventory information, and some provide both. The table below lists currently available inventory sources.

Inventory sourceType of sourceInventory data collected
Armis API Integration SourceCloud-to-CloudComputer
Carbon Black Inventory SourceCloud-to-CloudComputer
CrowdStrike FDR SourceCloud-to-CloudComputer
Cloud SIEM AWS EC2 Inventory SourceCloud-to-CloudComputer
CylanceCloud-to-CloudComputer
Google Workspace SourceCloud-to-CloudUser
Microsoft Azure AD Inventory SourceCloud-to-CloudComputer and User
Okta SourceCloud-to-CloudUser
Qualsys VMDR SourceCloud-to-CloudComputer
Rapid7 SourceCloud-to-CloudComputer
Sailpoint SourceCloud-to-CloudUser
SentinelOne Mgmt API SourceCloud-to-CloudComputer
Tenable SourceCloud-to-CloudComputer
Windows Active Directory Inventory SourcePart of Installed CollectorComputer and User

Best practices for collecting inventory data

Sumo Logic Sources that collect inventory data generally have a configuration setting that controls the frequency of collection. For example, the Windows Active Directory Inventory Source has a Fetch Interval option. Similarly, the Carbon Black Inventory Source has a Polling Interval option. These frequency options are typically set to a sensible value, between 10 to 24 hours. We recommend a frequency of 24 hours. Do not change the frequency to more often than 10 hours—if you do, you will end up collecting a lot of redundant data.

Searching inventory data

You can search the inventory data collected by inventory sources in a log search tab in Sumo Logic. You can scope your search using built-in metadata, for example, by specifying the source category assigned to the inventory source:

_sourceCategory=AD_inventory

You can use run a broader search using _siemDataType=Inventory

Inventory source mappings

There are two types of normalized inventory objects, Computers and Users. Some sources only support one type of object, others both. For each inventory source mapped into the normalized inventory object, the original data is stored in the rawRecord attribute.

Armis API Integration Source - Computer

Inventory AttributeData Source FieldNote
uniqueId"armis-" + idA globally unique ID that distinguishes this object from inventory from all other sources
deviceUniqueIdidA per-source unique ID
ipipAddress
macmacAddress
natIpipAddress
osoperatingSystem
osVersionoperatingSystemVersion

Carbon Black Inventory Source - Computer

Inventory AttributeData Source FieldNote
uniqueID“carbonblack” + IDA globally unique ID that distinguishes this object from inventory from all other sources
hostnamenameFalls back to ip (see below) if name is not defined
normalizedHostnameNormalized form of name
computerNamedisplayName
iplast_external_ip_addressFalls back to last_internal_ip_address
osVersionos_version
deviceUniqueIdIDA per-source unique ID

CrowdStrike FDR - Computer

Inventory AttributeData Source FieldNote
uniqueId"crowdstrike-" + idA globally unique ID that distinguishes this object from inventory from all other sources
deviceUniqueIddevice_idA per-source unique ID
groupsgroups
hostnamehostname
normalizedHostnamehostname
ipexternal_ip
macmac_address
natIplocal_ip
osos_product_name
osVersionos_version

Cloud SIEM AWS (EC2) Inventory Source - Computer

Inventory AttributeData Source FieldNote
uniqueIDAccount Id + Instance IDA globally unique ID that distinguishes this object from inventory from all other sources
ipPublicIpAddressIf PublicIpAddress is not defined it will fall back to PrivateIpAddress
hostnamePublicDnsNameIf PublicDnsName is not defined (or is an empty string) it will fall back to PrivateDnsName
normalizedHostnameNormalized form of PublicDnsNameFalls back to Normalized form of PrivateDnsName
osVersionos_version
deviceUniqueIdInstance IDA per-source unique ID

Cylance Source - Computer

Inventory AttributeData Source FieldNote
uniqueID“cylance” + host_nameA globally unique ID that distinguishes this object from inventory from all other sources.
Falls back to ip_address if hostname is not defined
hostnamehost_name
normalizedHostnameNormalized form of host_name
osVersionos_version
deviceUniqueIdIDA per-source unique ID

Google Workspace Inventory Source - User

Inventory AttributeData Source FieldNote
uniqueID“google-workspace” + IDA globally unique ID that distinguishes this object from inventory from all other sources
userIdIDA per-source unique ID
usernameprimaryEmail
normalizedUsernameNormalized form of primaryEmail
givenNamename.givenName
lastNamename.FamilyName
emailsemails.address

Microsoft Azure AD Inventory Source - Computer and User

Computer inventory data mapping

Inventory AttributeData Source FieldNote
uniqueID“AzureAD” + deviceIDA globally unique ID that distinguishes this object from inventory from all other sources
hostnamedisplayName
normalizedHostnamenormalized(displayName)
computerNamedisplayName
normalizedComputernamenormalized(displayName)
groupsmemberOf
osoperatingSystem
osVersionoperatingSystemVersion
deviceUniqueIddeviceIdA per-source unique ID

User inventory data mapping

Inventory AttributeData Source FieldNote
uniqueID“AzureAD” + IDA globally unique ID that distinguishes this object from inventory from all other sources
userIdIDA per-source unique ID
usernamemail
normalizedUsernamenormalized(mail)
groupsmemberOf
givenNamegivenName
lastNamesurname
departmentdepartment
emailsmail

Okta Source - User

Inventory AttributeData Source FieldNote
uniqueID“okta” + IDA globally unique ID that distinguishes this object from inventory from all other sources
usernameprofile.login
normalizedUsernameNormalized form of profile.login
givenNameprofile.firstName
lastNameprofile.lastName
emailscredentials.emails.value

QualSys - Computer

Inventory AttributeData Source FieldNote
uniqueId"qualys-" + idA globally unique ID that distinguishes this object from inventory from all other sources
deviceUniqueIdassetUUIDA per-source unique ID
computerNameassetName
normalizedComputernameassetName
hostnameassetName
normalizedHostnameassetName
ipaddress
macnetworkInterfaceListData[“networkInterface”][0].macAddress
natIpaddress
osoperatingSystem.osName
osVersionoperatingSystem.version

Rapid7 - Computer

Inventory AttributeData Source FieldNote
uniqueId"rapid7-" + idA globally unique ID that distinguishes this object from inventory from all other sources
deviceUniqueIdidA per-source unique ID
groupsgroups
ipip
natIpip
osos_system_name
osVersionos_version

Sailpoint Source - User

Inventory AttributeData Source FieldNote
uniqueID“sailpoint” + IDA globally unique ID that distinguishes this object from inventory from all other sources
usernameemail
normalizedUsernameNormalized form of email
givenNamename
emailsemail

SentinelOne - Computer

Inventory AttributeData Source FieldNote
uniqueIdsentinelOne-{id}A globally unique ID that distinguishes this object from inventory from all other sources
groupsgroupId
computerNamecomputerName
hostnamecomputerName
iplastIpToMgmtFalls back to externalIp
macnetworkInterfaces[1].physical
natIpexternalIp
osNameos
osVersionosRevision
locationlocations[1].name
deviceUniqueIduuidA per-source unique ID

Tenable Source - Computer

Inventory AttributeData Source FieldNote
uniqueID“tenable” + idA globally unique ID that distinguishes this object from inventory from all other sources
computernamehostnames.1
normalizedComputerNameNormalized form of hostnames.1
hostnamehostnames.1
normalizedHostnameNormalized form of computerName
osoperating_systems.1
deviceUniqueIdidA per-source unique ID
ipipv4s
natIpipv4s

Windows Active Directory Inventory Source

Computer inventory data mapping

Inventory AttributeData Source FieldNote
uniqueIDobjectGUIDA globally unique ID that distinguishes this object from inventory from all other sources
computernamecn
hostnamedNSHostName
normalizedHostnameNormalized form of dNSHostName
deviceUniqueIdobjectSidA per-source unique ID
osoperatingSystem
osVersionoperatingSystemVersion
groupsmemberOfWindows groups are reformatted from the LDAP form to a basic name.

User inventory data mapping

Inventory AttributeData Source FieldNote
uniqueIDobjectSidA globally unique ID that distinguishes this object from inventory from all other sources
userIdobjectSidA per-source unique ID
usernamesAMAccountName
normalizedUsernameNormalized form of sAMAccountName
givenNamegivenName
middleNamemiddleName
lastNamesn
emailsmail
groupsmemberOfWindows groups are reformatted from the LDAP form to a basic name.
Legal
Privacy Statement
Terms of Use

Copyright © 2023 by Sumo Logic, Inc.